refactor: Clean up code

Author: joachimvh

packages/uma/config/routes/introspection.json

@@ -9,8 +9,7 @@
       "methods": [ "POST" ],
       "handler": {
         "@type": "IntrospectionHandler",
-        "tokenStore": { "@id": "urn:uma:default:TokenStore" },
-        "jwtTokenFactory": { "@id": "urn:uma:default:TokenFactory" }
+        "tokenFactory": { "@id": "urn:uma:default:TokenFactory" }
       },
       "path": "/uma/introspect"
     }

packages/uma/src/credentials/verify/JwtVerifier.ts

@@ -53,10 +53,14 @@ export class JwtVerifier implements Verifier {
       await jwtVerify(credential.token, Object.assign(jwk, { type: 'JWK' }));
     }
 
-    for (const claim of Object.keys(claims)) if (!this.allowedClaims.includes(claim)) {
-      if (this.errorOnExtraClaims) throw new Error(`Claim '${claim}' not allowed.`);
+    for (const claim of Object.keys(claims)) {
+      if (!this.allowedClaims.includes(claim)) {
+        if (this.errorOnExtraClaims) {
+          throw new Error(`Claim '${claim}' not allowed.`);
+        }
 
-      delete claims[claim];
+        delete claims[claim];
+      }
     }
 
     this.logger.debug(`Returning discovered claims: ${JSON.stringify(claims)}`)

packages/uma/src/credentials/verify/SolidOidcVerifier.ts

@@ -1,4 +1,4 @@
-import { getLoggerFor } from '@solid/community-server';
+import { BadRequestHttpError, getLoggerFor } from '@solid/community-server';
 import { Verifier } from './Verifier';
 import { ClaimSet } from '../ClaimSet';
 import { Credential } from "../Credential";
@@ -18,7 +18,7 @@ export class SolidOidcVerifier implements Verifier {
   public async verify(credential: Credential): Promise<ClaimSet> {
     this.logger.debug(`Verifying credential ${JSON.stringify(credential)}`);
     if (credential.format !== OIDC) {
-      throw new Error(`Token format ${credential.format} does not match this processor's format.`);
+      throw new BadRequestHttpError(`Token format ${credential.format} does not match this processor's format.`);
     }
 
     try {
@@ -35,7 +35,7 @@ export class SolidOidcVerifier implements Verifier {
       const message = `Error verifying OIDC ID Token: ${(error as Error).message}`;
 
       this.logger.debug(message);
-      throw new Error(message);
+      throw new BadRequestHttpError(message);
     }
   }
 }

packages/uma/src/dialog/BaseNegotiator.ts

@@ -23,13 +23,13 @@ import { serializePolicyInstantiation } from '../logging/OperationSerializer';
  */
 export class BaseNegotiator implements Negotiator {
   protected readonly logger = getLoggerFor(this);
-  operationLogger = getOperationLogger();
+  protected readonly operationLogger = getOperationLogger();
 
   /**
    * Construct a new Negotiator
    * @param verifier - The Verifier used to verify Claims of incoming Credentials.
    * @param ticketStore - A KeyValueStorage to track Tickets.
-   * @param ticketManager - The strategy describing the life cycle of a Ticket.
+   * @param ticketingStrategy - The strategy describing the life cycle of a Ticket.
    * @param tokenFactory - A factory for minting Access Tokens.
    */
   public constructor(
@@ -41,10 +41,6 @@ export class BaseNegotiator implements Negotiator {
 
   /**
    * Performs UMA grant negotiation.
-   *
-   * @param {TokenRequest} body - request body
-   * @param {HttpHandlerContext} context - request context
-   * @return {Promise<TokenResponse>} tokens - yielded tokens
    */
   public async negotiate(input: DialogInput): Promise<DialogOutput> {
     reType(input, DialogInput);

packages/uma/src/dialog/ContractNegotiator.ts

@@ -21,14 +21,13 @@ import { DialogOutput } from './Output';
 export class ContractNegotiator extends BaseNegotiator {
   protected readonly logger = getLoggerFor(this);
 
-  // protected readonly operationLogger = getOperationLogger();
   protected readonly contractManager = new ContractManager();
 
   /**
    * Construct a new Negotiator
    * @param verifier - The Verifier used to verify Claims of incoming Credentials.
    * @param ticketStore - A KeyValueStore to track Tickets.
-   * @param ticketManager - The strategy describing the life cycle of a Ticket.
+   * @param ticketingStrategy - The strategy describing the life cycle of a Ticket.
    * @param tokenFactory - A factory for minting Access Tokens.
    */
   public constructor(
@@ -43,15 +42,15 @@ export class ContractNegotiator extends BaseNegotiator {
 
   /**
    * Performs UMA grant negotiation.
-   *
-   * @param {TokenRequest} body - request body
-   * @param {HttpHandlerContext} context - request context
-   * @return {Promise<TokenResponse>} tokens - yielded tokens
    */
   public async negotiate(input: DialogInput): Promise<DialogOutput> {
     reType(input, DialogInput);
-    if (!input.permissions && input.permission?.length)
-      input.permissions = input.permission.map(p => processRequestPermission(p))
+    if (!input.permissions && input.permission?.length) {
+      input = {
+        ...input,
+        permissions: input.permission.map(p => processRequestPermission(p)),
+      };
+    }
     this.logger.debug(`Input. ${JSON.stringify(input)}`);
     // Create or retrieve ticket
     const ticket = await this.getTicket(input);
@@ -170,7 +169,7 @@ export class ContractNegotiator extends BaseNegotiator {
       const policyCreationResponse = await fetch(instantiatedPolicyContainer, {
         method: 'POST',
         headers: { 'content-type': 'application/ld+json' },
-        body: JSON.stringify(contract, null, 2)
+        body: JSON.stringify(contract),
       });
 
       if (policyCreationResponse.status !== 201) {

packages/uma/src/policies/authorizers/NamespacedAuthorizer.ts

@@ -2,10 +2,9 @@ import { getLoggerFor, KeyValueStorage } from '@solid/community-server';
 import { ResourceDescription } from '../../views/ResourceDescription';
 import { Authorizer } from './Authorizer';
 import { Permission } from '../../views/Permission';
-import { Requirements, type ClaimVerifier } from '../../credentials/Requirements';
+import { Requirements } from '../../credentials/Requirements';
 import { ClaimSet } from '../../credentials/ClaimSet';
 
-const NO_RESOURCE = Symbol();
 const namespace = (resource: string) => new URL(resource).pathname.split('/')?.[2] ?? '';
 
 /**
@@ -39,8 +38,8 @@ export class NamespacedAuthorizer implements Authorizer {
     const ns = query[0].resource_id ? await this.findNamespace(query[0].resource_id) : undefined;
 
     // Check namespaces of other resources
-    for (const permission of query) {
-      if ((permission.resource_id ? namespace(permission.resource_id) : undefined) !== ns) {
+    for (let i = 1; i < query.length; ++i) {
+      if ((query[i].resource_id ? await this.findNamespace(query[i].resource_id) : undefined) !== ns) {
         this.logger.warn(`Cannot calculate permissions over multiple namespaces at once.`);
         return [];
       }
@@ -64,8 +63,8 @@ export class NamespacedAuthorizer implements Authorizer {
     const ns = await this.findNamespace(permissions[0].resource_id);
 
     // Check namespaces of other resources
-    for (const permission of permissions) {
-      if (namespace(permission.resource_id) !== ns) {
+    for (let i = 1; i < permissions.length; ++i) {
+      if (await this.findNamespace(permissions[i].resource_id) !== ns) {
         this.logger.warn(`Cannot calculate credentials over multiple namespaces at once.`);
         return [];
       }

packages/uma/src/policies/authorizers/OdrlAuthorizer.ts

@@ -1,6 +1,13 @@
-import { createVocabulary, DC, getLoggerFor, RDF } from '@solid/community-server';
+import {
+  BadRequestHttpError,
+  createVocabulary,
+  DC,
+  getLoggerFor,
+  NotImplementedHttpError,
+  RDF
+} from '@solid/community-server';
 import { basicPolicy, ODRL, UCPPolicy, UCRulesStorage } from '@solidlab/ucp';
-import { DataFactory, Literal, NamedNode, Quad_Subject, Store, Writer } from 'n3';
+import { DataFactory, Literal, NamedNode, Quad_Subject, Store } from 'n3';
 import { EyeReasoner, ODRLEngineMultipleSteps, ODRLEvaluator } from 'odrl-evaluator'
 import { WEBID } from '../../credentials/Claims';
 import { ClaimSet } from '../../credentials/ClaimSet';
@@ -62,19 +69,17 @@ export class OdrlAuthorizer implements Authorizer {
 
         // prepare sotw
         const sotw = new Store();
-        sotw.add(quad(namedNode('http://example.com/request/currentTime'), namedNode('http://purl.org/dc/terms/issued'), literal(new Date().toISOString(), namedNode("http://www.w3.org/2001/XMLSchema#dateTime"))));
+        sotw.add(quad(
+          namedNode('http://example.com/request/currentTime'),
+          namedNode('http://purl.org/dc/terms/issued'),
+          literal(new Date().toISOString(), namedNode("http://www.w3.org/2001/XMLSchema#dateTime"))),
+        );
 
         const subject = typeof claims[WEBID] === 'string' ? claims[WEBID] : 'urn:solidlab:uma:id:anonymous';
 
-
         for (const {resource_id, resource_scopes} of query) {
-            if (!resource_id) {
-                this.logger.warn('The OdrlAuthorizer can only calculate permissions for explicit resources.');
-                continue;
-            }
-
             grantedPermissions[resource_id] = [];
-            const actions = resource_scopes ? transformActionsCssToOdrl(resource_scopes) : ["http://www.w3.org/ns/odrl/2/use"]
+            const actions = transformActionsCssToOdrl(resource_scopes);
             for (const action of actions) {
                 this.logger.info(`Evaluating Request [S R AR]: [${subject} ${resource_id} ${action}]`);
                 const requestPolicy: UCPPolicy = {
@@ -119,7 +124,7 @@ export class OdrlAuthorizer implements Authorizer {
     }
 
     public async credentials(permissions: Permission[], query?: Requirements | undefined): Promise<Requirements[]> {
-        throw new Error("Method not implemented.");
+        throw new NotImplementedHttpError('Method not implemented.');
     }
 
 }
@@ -141,7 +146,13 @@ function transformActionsCssToOdrl(actions: string[]): string[] {
 
     // in UMAPermissionReader, only the last part of the URN will be used, divided by a colon
     // again, see CSS package
-    return actions.map(action => scopeCssToOdrl.get(action)!);
+    return actions.map(action => {
+      const result = scopeCssToOdrl.get(action);
+      if (!result) {
+        throw new BadRequestHttpError(`Unsupported action ${action}`);
+      }
+      return result;
+    });
 }
 /**
  * Transform ODRL Actions to equivalent Actions enforced by the Community Solid Server

packages/uma/src/policies/authorizers/WebIdAuthorizer.ts

@@ -14,8 +14,7 @@ export class WebIdAuthorizer implements Authorizer {
   /**
    * Creates a PublicNamespaceAuthorizer with the given public namespaces.
    *
-   * @param namespaces - A list of namespaces that should be publicly accessible.
-   * @param authorizer - The Authorizer to use for other resources.
+   * @param webids - The WebIDs that can be used.
    */
   constructor(
     protected webids: string[],
@@ -44,7 +43,7 @@ export class WebIdAuthorizer implements Authorizer {
     if (query && !Object.keys(query).includes(WEBID)) return [];
 
     return [{
-      [WEBID]: async (webid) => typeof webid ===  'string' && this.webids.includes(webid),
+      [WEBID]: async (webid) => typeof webid === 'string' && this.webids.includes(webid),
     }];
   }
 }

packages/uma/src/routes/Config.ts

@@ -1,6 +1,6 @@
 import { ASYMMETRIC_CRYPTOGRAPHIC_ALGORITHM }
   from '@solid/access-token-verifier/dist/constant/ASYMMETRIC_CRYPTOGRAPHIC_ALGORITHM';
-import { getLoggerFor } from '@solid/community-server';
+import { getLoggerFor, joinUrl } from '@solid/community-server';
 import { HttpHandler, HttpHandlerContext, HttpHandlerResponse } from '../util/http/models/HttpHandler';
 
 // eslint-disable no-unused-vars
@@ -59,13 +59,13 @@ export class ConfigRequestHandler extends HttpHandler {
    */
   public getConfig(): UmaConfiguration {
     return {
-      jwks_uri: `${this.baseUrl}/keys`,
-      token_endpoint: `${this.baseUrl}/token`,
+      jwks_uri: joinUrl(this.baseUrl, 'keys'),
+      token_endpoint: joinUrl(this.baseUrl, 'token'),
       grant_types_supported: ['urn:ietf:params:oauth:grant-type:uma-ticket'],
-      issuer: `${this.baseUrl}`,
-      permission_endpoint: `${this.baseUrl}/ticket`,
-      introspection_endpoint: `${this.baseUrl}/introspect`,
-      resource_registration_endpoint: `${this.baseUrl}/resources/`,
+      issuer: this.baseUrl,
+      permission_endpoint: joinUrl(this.baseUrl, 'ticket'),
+      introspection_endpoint: joinUrl(this.baseUrl, 'introspect'),
+      resource_registration_endpoint: joinUrl(this.baseUrl, 'resources/'),
       uma_profiles_supported: ['http://openid.net/specs/openid-connect-core-1_0.html#IDToken'],
       dpop_signing_alg_values_supported: [...ASYMMETRIC_CRYPTOGRAPHIC_ALGORITHM],
       response_types_supported: [ResponseType.Token],

packages/uma/src/routes/Introspection.ts

@@ -1,10 +1,7 @@
-import { BadRequestHttpError, getLoggerFor, KeyValueStorage, UnauthorizedHttpError } from '@solid/community-server';
-import { AccessToken } from '../tokens/AccessToken';
-import { JwtTokenFactory } from '../tokens/JwtTokenFactory';
-import { SerializedToken } from '../tokens/TokenFactory';
+import { BadRequestHttpError, getLoggerFor, UnauthorizedHttpError } from '@solid/community-server';
+import { TokenFactory } from '../tokens/TokenFactory';
 import { HttpHandler, HttpHandlerContext, HttpHandlerResponse } from '../util/http/models/HttpHandler';
 import { verifyRequest } from '../util/HttpMessageSignatures';
-import { jwtDecrypt } from 'jose';
 
 
 type IntrospectionResponse = {
@@ -28,71 +25,32 @@ export class IntrospectionHandler extends HttpHandler {
   /**
    * Creates an introspection handler for tokens in the given token store.
    *
-   * @param tokenStore - The store containing the tokens.
-   * @param jwtTokenFactory - The factory with which to produce JWT representations of the tokens.
+   * @param tokenFactory - The factory with which tokens were produced.
    */
   constructor(
-    private readonly tokenStore: KeyValueStorage<string, AccessToken>,
-    private readonly jwtTokenFactory: JwtTokenFactory,
+    private readonly tokenFactory: TokenFactory,
   ) {
     super();
   }
 
-  async handle({request}: HttpHandlerContext): Promise<HttpHandlerResponse<any>> {
+  async handle({request}: HttpHandlerContext): Promise<HttpHandlerResponse<IntrospectionResponse>> {
     if (!await verifyRequest(request)) throw new UnauthorizedHttpError();
 
-    if (!request.body /*|| !(request.body instanceof Object) */) { // todo: why was the object check here??
+    if (!request.body) {
       throw new BadRequestHttpError('Missing request body.');
     }
 
     const token = new URLSearchParams(request.body as Record<string, string>).get('token');
     try {
-      if(!token) throw new Error('could not extract token from request body')
-      const unsignedToken = await this.processJWTToken(token)
+      if (!token) throw new Error('could not extract token from request body')
+      const unsignedToken = await this.tokenFactory.deserialize(token);
       return {
         status: 200,
-        body: unsignedToken,
+        body: { ...unsignedToken, active: true },
       };
     } catch (e) {
-      // Todo: The JwtTokenFactory DOES NOT STORE THE TOKEN IN THE TOKENSTORE IN A WAY WE CAN RETRIEVE HERE! How to fix?
       this.logger.warn(`Token introspection failed: ${e}`)
       throw new BadRequestHttpError('Invalid request body.');
     }
-
-
-    // Opaque token left-overs - ask Wouter?
-
-    // try {
-    //   const opaqueToken = new URLSearchParams(request.body).get('token');
-    //   if (!opaqueToken) throw new Error ();
-
-    //   const jwt = this.opaqueToJwt(opaqueToken);
-    //   return {
-    //     headers: {'content-type': 'application/json'},
-    //     status: 200,
-    //     body: jwt,
-    //   };
-    // } catch (e) {
-    //   throw new BadRequestHttpError('Invalid request body.');
-    // }
-
-  }
-
-
-  private async processJWTToken(signedJWT: string): Promise<IntrospectionResponse> {
-    this.logger.info(JSON.stringify(this.tokenStore.entries().next(), null, 2))
-    const token = (await this.tokenStore.get(signedJWT)) as IntrospectionResponse;
-    if (!token) throw new Error('Token not found.');
-    token.active = true
-    return token
-  }
-
-  // todo: check with Wouter what the goal here is? Since the Opaque Token Factory is not used atm?
-  private async opaqueToJwt(opaque: string): Promise<SerializedToken> {
-    const token = await this.tokenStore.get(opaque);
-    if (!token) throw new Error('Token not found.');
-
-    return this.jwtTokenFactory.serialize({ ...token, active: true } as AccessToken);
   }
-
 }